NOTE: FTC v. LabMD: FTC Jurisdiction over Information Privacy is "Plausible," But How Far Can it Go?

By Peter S. Frecehette | 62 Am. U. L. Rev. 1401 (2013)

Companies in nearly every industry collect, store, and use personal information from consumers. Recently, company databases have become the target of increasingly sophisticated attacks aimed atstealing this information. Data breaches occur with such regularity that the Federal Bureau of Investigation (FBI) has separated companies into two categories: “those that have been hacked, and those that will be.” The Federal Trade Commission (FTC) plays a large role in the cybersecurity world by enforcing specific statutes and, more generally, utilizing its authority under the Federal Trade Commission Act (FTC Act) to penalize companies that allow data breaches. Recently, however, businesses have begun to push back, contesting the FTC’s authority to police information security.

In FTC v. LabMD, Inc., a company under FTC investigation for an alleged data breach challenged the FTC’s ability to issue an administrative subpoena. LabMD indirectly disputed the FTC’s role in information security and its use of the unfairness category of the FTC Act as a basis of enforcement in data breach cases. The district court ultimately found that the FTC made a plausible case for its authority, but based its holding on the weight of precedent surrounding the FTC’s general use of the FTC Act in information security cases. Thus, the FTC’s reliance on the FTC Act is currently permitted, but could be challenged in the future. LabMD’s challenge of the FTC’s authority was significant however, because there is no legislative or executive action on privacy, so the FTC’s guidance, best practices, and enforcement set the de facto “privacy law.” As the FTC casts an increasingly wider net with or without congressional or executive action on data security, the future of the FTC Act’s scope in this area is uncertain.